About Sonatype

Articles

I’m no expert on how software gets made, but over the years I’ve learned that, more often than not, rather than write brand-new code, it’s more efficient for developers to assemble an application from existing building blocks.

It’s similar to building a house: Most of the component pieces are standardized and are used in predictable ways; some are tweaked a bit to function just a bit differently than originally; and some are custom-made to fit the taste and desire of the builder.

It’s certainly efficient, and saves the time and effort of recreating a block of code that gets the job done. But there can be a problem. Let’s say the home builder chooses a wonky model of dishwasher, but no one knows it’s wonky until its too late. The dishwasher can be swapped out for a better one. But what if there’s a problem in the parts used to build the foundations of the house?

A software developer can easily choose an open-source component that has some unknown security weaknesses, or which uses some code that is subject to a license. Or it simply might not be up to date, or the component might not be very good. And once it’s used, one block might turn out to be a linchpin to other critical bits of the application, so swapping it out can get complicated quickly.

Software developers need a little help in vetting and evaluating and managing all the software components they use. And a start-up called Sonatype is out to help them do it. It announced this morning that it has landed $25 million in funding in a round led by New Enterprise Associates, with existing investors Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures and Bay Partners all participating.

Sonatype runs something called the Central Repository, essentially a library of some 400,000 software components that is so widely used by software developers that it gets about five billion requests a year. That gives it a lot of visibility into what components are being used, and what potential problems might be cropping up. Simply keeping track of what software components were used to build an application goes a long way toward solving problems as they arise down the road, Sonatype CEO Wayne Jackson told me.

According to a study Sonatype commissioned in March, developers at the world’s 500 biggest companies downloaded 2.8 million components suffering from security problems last year. When you consider that 80 percent of software applications built are using these prebuilt components, you get an idea of the potential scale of the problem. Here’s another tidbit that, on its face, is kind of alarming: Firms in the financial services industry were the heaviest users of these insecure components, downloading some some 567,000 of them in one year. One user in three hadn’t downloaded the most up-to-date version of the component with known security problems fixed.

Sonatype’s approach to this problem comes in helping developers evaluate and manage the components they use. Its customers, which include Intuit, Cisco Systems, Skype and Hewlett-Packard, get a deep look at everything there is to know about a given component, so they can decided if it’s really the best bit of code for the job at hand. It has essentially created its own market niche, known as “component lifecycle management.”

As part of the investment, Harry Weller, a general partner at NEA, will join Sonatype’s board of directors. In a statement, he described the company as being “… In a prime position to become the must-have tool used by every development organization in the world.”

The round brings Sonatype’s total capital raised to $35 million. It was founded in 2010 by by Jason van Zyl, the creator of Apache Maven and the Central Repository.

Coming on the heels of yesterday’s record-setting $100 million Series A investment by Andreessen Horowitz in GitHub, it’s a pretty clear sign that software-development tools and infrastructure are where the VC money is flowing right now, and another sign of Marc Andreessen’s argument that software is “ eating the world.” Think of GitHub as where open-source software is born. Sonatype’s Central Repository is where that software goes when its all grown up.